The web is in the middle of a massive change from non-secure HTTP to the more secure
HTTPS protocol. All web servers use one of these two protocols to get web pages from
the server to your browser. HTTP has serious problems that make it vulnerable to
eavesdropping and content hijacking. HTTPS fixes most of these problems. That's
why EFF, and many like-minded supporters, have been pushing for web sites to adopt
HTTPS by default. As of 2016, about half of all web page visits use HTTPS. This is a
big improvement over the past, but we still have work to do.

We're calling on all web site owners to implement HTTPS by default, and
we're providing the tools to do it.

For many years, web site owners chose to only implement HTTPS for a small number of
pages, like those that accepted passwords or credit card numbers. However, in recent
years, the Internet security community has come to realize that all web pages need
protection. Pages served over HTTP are vulnerable to eavesdropping, content injection,
and cookie stealing, which can be used to take over your online accounts.

What you can do as an individual

Unfortunately, you can only use HTTPS on websites that support it, and there are
still lots of sites that don't. However, a lot of sites partially support
HTTPS— they make HTTPS available but don't send visitors to the HTTPS
version by default.

EFF created and maintains a browser extension, HTTPS Everywhere, that has a list of many
such sites, and will take you to their HTTPS version automatically. We recommend
installing it in all your browsers to make you safer from eavesdropping and content
injection on the sites it lists.

You can also check your favorite sites. When you visit them, does the URL bar at the
top of your browser show "https://"? If not, you should contact the people
who run those sites and demand HTTPS support. Feel free to link them here for a
description of why it's important.

What you can do as a web site owner

We're encouraging everyone who runs a web site to offer HTTPS and redirect
visitors to HTTPS by default. Offering HTTPS has gotten a lot
cheaper in the last 10 years, and today it won't slow down your site or make
it use more server CPU. In fact, offering HTTPS makes it possible for sites to
implement the modern HTTP/2 standard, which can dramatically speed up web browsing
relative to HTTP.

Offering HTTPS requires getting a certificate from a certificate authority. It used
to be expensive and complicated to get a certificate, but a new certificate authority,
Let's Encrypt, offers free certificates to
the public using an API that enables easy automation. Let's Encrypt is a joint
project of EFF, Mozilla, and many other sponsors.

If you manage your web site entirely through a web interface, the easiest approach
is for your hosting provider to integrate Let's Encrypt support as a setting you
can turn on. Many
hosting providers already support Let's Encrypt, and many more add support
all the time.

If you have shell access on your hosting provider, you can use Certbot, a tool developed by EFF. Certbot can get you a
free certificate from Let's Encrypt. It can also automatically configure your
Apache or Nginx server to correctly use that certificate.

What you can do as a hosting
provider

We encourage all hosting providers and CDNs to offer HTTPS by default for their
customers, at no additional cost versus their HTTP services. Many already have, like
Cloudflare, OVH, WordPress.com, and SquareSpace. The Let's Encrypt integration
guide has additional details on how to best implement HTTPS by default. We look
forward to seeing free, automatic HTTPS become the industry standard for web
hosting.

The good news: TLS 1.3 is available, and the protocol, which powers HTTPS and many other encrypted communications, is better and more secure than its predecessors (including SSL). The bad news: Thanks to a financial industry group called BITS, there’s a look-alike protocol brewing called ETS (or...

The U.S. government sends a lot of emails. Like any large, modern organization, it wants to “optimize” for “user engagement” using “analytics” and “big data.” In practice, that means tracking the people it communicates with—secretly, thoroughly, and often, insecurely. Granicus is a third-party contractor that builds communication tools to help...